Support

Admin Tools

#33482 templ=component throwing WAF security exceptions

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by adoucette on Monday, 03 August 2020 18:36 CDT

Friday, 31 July 2020 19:55 CDT

adoucette

Hello,

First, I really like your AdminTools product -- thank you for providing it.

Lately I've been having a problem with the "block templ=" feature in the Web Application Firewall (WAF) Cloaking settings.

We use ACYMailing to send out newsletters and these have a "click to view in your browser" link at the top of them. The link auto-generated by ACY has "templ=component" in the URL. This causes a security exception in AdminTools when recipients click on it. I can see these listed in the WAF Blocked Request Log.

I have "Block tmpl=foo system template switch", "Block template=foo site template switch", and "Enable 404 Shield" set to "Yes" and "Allow site templates" set to no. In the "List of allowed tmpl= keywords" I have entered "component,system,raw,site-default-template".

I had thought that enabling "component" in the list of allowed templ= would fix this.

How do I go about fixing this without compromising security?

Thanks again,

Ari

Edited by on 2020-08-31 17:45 CDT

Monday, 03 August 2020 01:19 CDT

nicholas

Please look again at the screenshot you sent me. The URL displays tmpl=dbzcbafag. The key dbzcbafag is not in your  “List of allowed tmpl= keywords”. Therefore it will be blocked. However, don't add it just yet!

Are you absolutely sure this is a legitimate link? To me, it looks like someone is doing a fuzzing attack on your site, trying to find vulnerabilities in installed components. There's no such thing as tmpl=dbzcbafag in Joomla and this is the first time I see it in AcyMailing either. Double check that the Target URL you see corresponds to the link in the email.

I do not think that what you have here is a problem in Admin Tools. I think it's a legitimate attack that Admin Tools blocked. Here are some data points that make me think it's not a legitimate link:

  • There is no mention of  tmpl=dbzcbafag in AcyMailing's code. There is tmpl=component in the acym_noTemplate() function it uses to create links meant to be presented without the site's template.
  • If the past 14 years have taught me one thing is that when two popular products often used together, like Admin Tools and AcyMailing, become incompatible it takes 6 to 36 hours for their developers to hear about it and the reports come in bucketloads. It's been a week since the last release of AcyMailing. Nobody has reported this problem. The likelihood that you are the canary in the mine is very small.
  • What AcyMailing tries to do – display the email without the site's template around it – is something that can be done two ways since Joomla! 1.0. You either use tmpl=component (recommended) or format=raw (special cases only). It's highly unlikely that AcyMailing was correctly using tmpl=component for 11 years and suddenly decided to do something dangerous and pointless. It's not like them.
  • Even when misguided developers use a custom tmpl keyword, even though it's never necessary in Joomla, they use something which is somewhat human readable, not an inscrutable jumble of characters like dbzcbafag. Developers don't like undermining their own debugging efforts.
  • The string dbzcbafag is simply someone trying to type "random" characters with their left hand on the keyboard.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 03 August 2020 18:36 CDT

adoucette

Nick, you are correct. I didn't realize the template in the blocked URL was in fact "dbzcbafag", I had mistakenly thought it was "component". Thanks.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!